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Abstract. We give an evolving algebra solution for the well-known rail- 
road crossing problem and use the occasion to experiment with agents 
that perform instantaneous actions in continuous time and in particular 
with agents that fire at the moment they are enabled. 



1 Introduction 

The well-known railroad crossing problem has been used as an example for com- 
paring various specification and validation methodologies; see for example f?J 
and the relevant references there. The evolving algebras (EA) methodology has 
been used extensively for specification and validation for real-world software and 
hardware systems; see the EA guide || and the EA bibliography jij. The merits 
of using "toy" problems as benchmarks are debatable; not every methodology 
scales well to real- world problems. Still, toy problems are appropriate for experi- 
mentation. Here we present an evolving algebra solution for the railway crossing 
problem and use the opportunity for experimentation with instantaneous actions 
and reactions in real time. 

In Sect. 2, we describe a version of the railroad crossing problem. It is not 
difficult to generalize the problem (e.g. by relaxing our assumptions on trains) 
and generalize the solution respectively. An interested reader may view that as 
an exercise. 

In Sect. 3, we give a brief introduction to evolving algebras (in short, eal- 
gebras), in order to make this paper self-contained. We omit many important 
aspects of ealgebras and refer the interested reader to a fuller definition in the 
EA guide [3j. In Sect. 4, experimenting with instantaneous actions in real time, 
we define special distributed real-time ealgebras appropriate to situations like 
that of the railroad crossing problem. 

In Sect. 5 and Sect. 6, we give a solution for the railroad crossing problem 
which is formalized as an ealgebra. The program for the ealgebra is given in 
Sect. 5. The reader may wish to look at Sect. 5 right away; the notation is self- 
explanatory to a large extent. In Sect. 6, we define regular runs (the only relevant 
runs) of our ealgebra and analyze those runs. Formally speaking, we have to prove 
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the existence of regular runs for every possible pattern of trains; for technical 
reasons, we delay the existence theorem until later. 

In Sect. 7, we prove the safety and liveness properties of our solution. In 
Sect. 8 we prove a couple of additional properties of our ealgebra. In Sect. 9, we 
take advantage of the additional properties and prove the existence theorem for 
regular runs and analyze the variety of regular runs. 

The ealgebra formalization is natural and this allows us to use intuitive terms 
in our proofs. One may have an impression that no formalization is really needed. 
However, a formalization is needed if one wants a mathematical verification of 
an algorithm: mathematical proofs are about mathematical objects. Of course, 
we could avoid intuitive terms and make the proofs more formal and pedantic, 
but this paper is addressed to humans and it is so much harder to read pedantic 
proofs. It is a long standing tradition of applied mathematics to use intuitive 
terms in proofs. Let us notice though that more formal and pedantic proofs have 
their own merits; if one wants to check the details of our proofs by machine, it 
is useful to rewrite the proofs in a pedantic way. In any case, we see a great 
value in the naturality of formalization. No semantical approach makes inherent 
difficulties of a given problem go away. At best, the approach does not introduce 
more complications and allows one to deal with the inherent complexity of the 
given problem. 
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2 The Railroad Crossing Problem 

Imagine a railroad crossing with several train tracks and a common gate, such 
as the one depicted in Fig. 1. Sensors along every track detect oncoming and 
departing trains. Let us consider one of the tracks, shown in Fig. 2. It has four 
sensors at points LI, L2, Rl and R2. Sensor LI detects trains coming from the 
left, and sensor L2 detects when those trains leave the crossing. Similarly sensor 
Rl detects trains coming from the right, and sensor R2 detects when those trains 
leave the crossing. Based on signals from these sensors, an automatic controller 
signals the gate to open or close. 

The problem is to design a controller that guarantees the following require- 
ments. 

Safety If a train is in the crossing, the gate is closed. 
Liveness The gate is open as much as possible. 

Several assumptions are made about the pattern of train movement. For 
example, if a train appears from the left, it leaves the crossing to the right. It 
is easiest to express those assumptions as a restriction on possible histories of 
train motion on any given track. 
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Fig. 1. A railroad crossing, 
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Fig. 2. Placement of sensors along a railroad track. 

Assumptions Regarding Train Motion. For any given track, there is a finite or 
infinite sequence of moments 

to < h < h < h < . . . 
satisfying the following conditions. 

Initial State The moment to is the initial moment. The observed part [LI, Rl] 
of the track is empty at to- 

Train Pattern If t 3i+ i appears in the sequence then t 3i+3 appears in the se- 
quence and we have that 

— at t 3i+ i, one oncoming train is detected at LI or Rl, 

— at t 3i+2 the train reaches the crossing, and 

— at t 3i+ z the train is detected to have left the crossing at L2 or R2 re- 
spectively. 

Completeness There are no other trains. 



Additional Assumptions. From the moment that an oncoming train is detected, 
it takes time between d m [ n and dmax for the train to reach the crossing. In terms 
of the sequence (to < t\ < t 2 < t 3 < . . .) above, this assumption can be stated 
as follows: 

1 Every difference %+2 — ^3i+i belongs to the interval [d m i n , dmax]- 

Further, the gate closes within time c£ c i ose and opens within time dopen- This 
does not necessarily mean that if the controller signals the gate to close (re- 
spectively open) at moment t then the gate closes (respectively opens) by time 
t + d c i ose (respectively t + rfopen)- Let us state the assumption more precisely as 
a restriction on possible histories. 

2 There is no interval I = (t,t + d c i ose ) (respectively / = (t,t + dopen)) during 

which the signal to close (respectively to open) is in force but the gate is not 
closed (respectively opened) at any moment in /. 

It is easy to see that the controller cannot guarantee the safety requirement is 
satisfied if d m i n < d c \ ose . We ignore the case d m [ n — d c i se an d assume that 

^ ^close < ^min- 

Finally, we will assume that actions are performed instantaneously. Of course, 
real actions take time and the use of instantaneous actions is an abstraction. But 
this may be a useful abstraction. For example, in our case, it is natural to ignore 
the time taken by the controller's actions. It is not natural at all to view closing 
and opening of the gate as instantaneous actions, and we will not do that. Let 
us stress that the evolving algebra methodology does not require that actions 
are necessarily instantaneous. See for example Q where an instantaneous action 
ealgebra is refined to a prolonged-action ealgebra. 

The design part of the railway crossing problem is not difficult, especially 
because the problem has been addressed in a number of papers. What remains 
is to formalize the design in a specification language, in our case as an evolving 
algebra, and prove the safety and liveness requirements are satisfied. 

3 Evolving Algebras Reminder 

We give a brief reminder on evolving algebras based on the EA guide || . We 
present only what is necessary here and ignore many important features. 

3.1 Static Algebras 

Static algebras are essentially logicians' structures except that a tiny bit of meta- 
mathematics is built into it. They are indeed algebras in the sense of the science 
of universal algebra. 

A vocabulary is a collection of function symbols; each symbol has a fixed 
arity. Some function symbols are tagged as relation symbols (or predicates). It 



is supposed that every vocabulary contains the following logic symbols: miliary 
symbols true, false, undef, a binary symbol =, and the symbols of the standard 
propositional connectives. 

A static algebra (or a state) A of vocabulary T is a nonempty set X (the 
basic set or superuniverse of A), together with interpretations of all function 
symbols in Y over X (the basic functions of A). A function symbol / of arity 
r is interpreted as an r-ary operation over X (if r = 0, it is interpreted as an 
element of X). The interpretations of predicates (basic relations) and the logic 
symbols satisfy some obvious requirements stated below. 

Remark on notations and denotations. A symbol in Y is a name or notation 
for the operation that interprets it in A, and the operation is the meaning or 
denotation of the symbol in A. In English, a word "spoon" is a name of a familiar 
table utensil, and one says "I like that spoon" rather than a more cumbersome 
"I like that utensil named 'spoon'" . Similarly, when a state is fixed, we may say 
that / maps a tuple a to an element b rather than that the interpretation of / 
maps a tuple a to an element b. 

On the interpretations of logic symbols and predicates. Intuitively, (the inter- 
pretations of) true and false represent truth and falsity respectively. Accordingly, 
the symbols true and false are interpreted by different elements. These two ele- 
ments are the only possible values of any basic relation. The Boolean connectives 
behave in the expected way over these two elements, and the equality function 
behaves in the expected way over all elements. 

Universes and typing. Formally speaking, a static algebra is one-sorted. How- 
ever, it may be convenient to view it as many-sorted; here we describe a standard 
way to do this. Some unary basic relations are designated as universes (or sorts) 
and their names may be called universe symbols. One thinks about a universe 
U as a set {x : U(x) = true}. Basic functions are assigned universes as domains. 
For example, the domain of a binary function / may be given as U\ x U2 where 
Ui and U2 are universes. If / is a relation, this means that f (0,1,0,2) = false 
whenever a\ £ U\ or a 2 ^ U2- Otherwise this means that f(ai,a 2 ) = undef 
whenever a\ (jLXJ\ or 02 £ U2, so that / is intuitively a partial function. 

Remark on the built-in piece of meta-mathematics. In first-order logic, an as- 
sertion about a given structure does not evaluate to any element of the structure. 
For technical convenience, in evolving algebras truth and falsity are represented 
internally and many assertions can be treated as terms. This technical modifi- 
cation does not prevent us from dealing with assertions directly. For example, 
let /, g be miliary function symbols and P a binary function symbol. Instead of 
saying that P(f, g) evaluates to true (respectively false) at a state A, we may 
say P(f,g) holds (respectively fails) at A. In some cases, we may even omit 
"holds" ; for example, we may assert simply that / ^ g. Admittedly, this is not 
very pedantic, but we write for humans, not machines. 

3.2 Updates 

Alternatively, a state can be viewed as a kind of memory. A location £ of a state 
A of vocabulary T is a pair I = (/, a) where / is a symbol in Y of some arity 



r and a is an r-tuple of elements of A (that is, of the superuniverse of A). The 
element f(a) is the content of location £ in A. 

An update of state A is a pair (£, 6), where £ is some location (/, a) of A and 
b is an element of A; it is supposed that b is (the interpretation of) true or /a/se 
if / is a predicate. This update is trivial if b is the content of £ in A. An update 
can be performed: just replace the value at location £ with b. The vocabulary, 
the superuniverse and the contents of other locations remain unchanged. The 
state changes only if the update is nontrivial. 

Call a set S = {(ix, bi), . . . , (£ n , b n )} of updates of a state A consistent if the 
locations are distinct. In other words, S is inconsistent if there are i,j such that 
£i — £j but bi 7^ bj. In the case that S is consistent it is performed as follows: 
replace the content of £\ with b\ , the content of £2 with bi and so on. To perform 
an inconsistent update set, do nothing. 

A pedantic remark. The equality used in the previous paragraph is not the 
built-in equality of A but rather the equality of the meta language. One could 
use another symbol for the built-in equality, but this is not necessary. 

A remark to theoreticians. At the point that updates are introduced, some 
people, in particular Robin Milner raise an objection that an update may 
destroy algebraic properties. For example, an operation may lose associativity. 
That is true. So, in what sense are static algebras algebraic? They are algebraic 
in the sense that the nature of elements does not matter and one does not dis- 
tinguish between isomorphic algebras. A standard way to access a particular 
element is to write a term that evaluates to that element. Coming back to alge- 
braic properties like associativity (and going beyond the scope of this paper) , let 
us note that, when necessary, one can guarantee that such a property survives 
updating by declaring some functions static or by imposing appropriate integrity 
constraints or just by careful programming. 

3.3 Basic Rules 

In this subsection we present the syntax and semantics of basic rules. Each rule 
R has a vocabulary, namely the collection of function symbols that occur in R. 
A rule R is applicable to a state A only if the vocabulary of A includes that of R. 
At each state A of sufficiently rich vocabulary, R gives rise to a set of updates. 
To execute R at such a state A, perform the update set at A. 
A basic update rule R has the form 

/(ei, ...,e r ) := e 

where / is an r-ary function symbol (the head of R) and each ei is a ground 
term, that is, a term without any variables. (In programming languages, terms 
are usually called expressions; that motivates the use of letter e for terms.) To 
execute R at a state A of sufficiently rich vocabulary, evaluate all terms at A 
and then change / accordingly. In other words, the update set generated by R 
at A consists of one update (£, ao) where £ = (/, (ai, . . . , a r )) and each is the 
value of ei at A. 



For example, consider an update rule f{c\ +C2) := cq and a state A where + 
is interpreted as the standard addition function on natural numbers and where 
c\,C2, Co have values 3, 5, 7 respectively. To execute the rule at A, set /(8) to 7. 

There are only two basic rule constructors. One is the conditional constructor 
which produces rules of the form: 

if g then i?i else R2 endif 

where g is a ground term (the guard of the new rule) and R\, R2 are rules. To 
execute the new rule in a state A of sufficiently rich vocabulary, evaluate the 
guard. If it is true, then execute R%; otherwise execute i?2- (The "else" clause 
may be omitted if desired.) 

The other constructor is the block constructor which produces rules of the 
form: 

block 

Ri 

R k 
endblock 

where Ri, . . . , Rk are rules. (We often omit the keywords "block" and "end- 
block" for brevity and use indentation to eliminate ambiguity.) To execute the 
new rule in a state A of sufficiently rich vocabulary, execute rules R\ , . . . , Rk 
simultaneously. More precisely, the update set generated by the new rule at A 
is the union of the update sets generated by the rules Ri at A. 
A basic program is simply a basic rule. 

In this paper we say that a rule R is enabled at a state A of sufficiently rich 
vocabulary if the update set generated by R at A is consistent and contains a 
non-trivial update; otherwise R is disabled at A. (The notion of being enabled 
has not been formalized in the EA guide.) Rules will be executed only if they 
are enabled, so that the execution changes a given state. This seems to be a very 
pedantic point. What harm is done by executing a rule that does not change a 
given state? It turns out that the stricter notion of being enabled is convenient 
in real-time computational theory; see Lemma ^ in this connection. 

3.4 Parallel Synchronous Rules 

Generalize the previous framework in two directions. First, permit terms with 
variables and generalize the notion of state: in addition to interpreting some 
function names, a generalized state may assign values to some variables. (Notice 
that a variable cannot be the head of an update rule.) 

Second, generalize the notion of guards by allowing bounded quantification. 
More formally, we define guards as a new syntactical category. Every term 
P(ei, . . . ,e r ), where P is a predicate, is a guard. A Boolean combination of 



guards is a guard. If g(x) is a guard with a variable x and U is a universe 
symbol then the expression (Vx € U)g(x) is also a guard. 

The semantics of guards is quite obvious. A guard g(y) with free variables y 
holds or fails at a (generalized) state A that assigns values to all free variables 
of g. The least trivial case is that of a guard g(y) = (Vx 6 U)g'(x,y). For every 
element 6 of J7 in A, let Af, be the expansion of A obtained by assigning the 
value b to x. Then g(y) holds at A if </(x, y) holds at every At,; otherwise it fails 
at A. 

Now consider a generalized basic rule R(x) with a variable x and let U be a 
universe symbol. Form the following rule R*: 

var x ranges over U 

R(x) 

endvar 

Intuitively, to execute R*, one executes 7?(x) for every x € ?7. To make this 
more precise, let A be a (generalized) state that interprets all function names 
in the vocabulary of R(x) and assigns values to all free variables of R(x) except 
for x. For each element b of the universe U in A, let A^ be the expansion of A 
obtained by assigning the value b to x, and let be the update set generated 
by 7?(x) at Ab. Since x does not appear as the head of any update instruction 
in R(x), each Eb is also a set of updates of A. The update set generated by R* 
at A is the union of the update sets E^. 

Call the new rule a parallel synchronous rule (or a declaration rule, as in 
the EA guide). A parallel synchronous program is simply a parallel synchronous 
rule without free variables. Every occurrence of a variable should be bound by 
a declaration or a quantifier. 

3.5 Special Distributed Programs 

For our purposes here, a distributed program II is given by a vocabulary and a 
finite set of basic or parallel synchronous programs with function symbols from 
the vocabulary of 77. The constitutent programs are the modules of A. A state 
of 77 is a state of the vocabulary of 77. Intuitively, each module is executed by 
a separate agent. 

This is a very restricted definition. For example, the EA guide allows the 
creation of new agents during the evolution. 

Intuitively, it is convenient though to distinguish between a module (a piece 
of syntax) and its executor, and even think about agents in anthropomorphic 
terms. But since in this case agents are uniquely defined by their programs, there 
is no real need to have agents at all, and we may identify an agent by the name 
of its program. 

4 Special Distributed Real-Time Ealgebras 

A program does not specify a (distributed) ealgebra completely. We need to 
define what constitutes a computation (or a run) and then to indicate initial 



states and maybe a relevant class of runs. In this section, we define a restricted 
class of distributed real-time evolving algebras by restricting attention to static 
algebras of a particular kind and denning a particular notion of run. 

We are interested in computations in real time that satisfiy the following 
assumptions. 

11 Agents execute instantaneously. 

12 Enviromental changes take place instantaneously. 

13 The global state of the given distributed ealgebra is well defined at every 
moment. 

Let us stress again that the three assumptions above are not a part of 
the evolving algebra definition. The prolonged-action ealgebra [0], mentioned 
in Sect. 2, satisfies none of these three assumptions. 

Vocabularies and Static Structures. Fix some vocabulary T with a universe sym- 
bol Reals and let T + be the extension of T with a miliary function symbol CT; 
it is supposed of course that T does not contain CT. Restrict attention to Te- 
states where the universe Reals is the set of real numbers and CT evaluates to 
a real number. Intuitively, CT gives the current time. 

4.1 Pre-runs 

Definition 1. A pre-run R of vocabulary T + is a mapping from the interval 
[0, oo ) or the real line to states of vocabulary T + satisfying the following re- 
quirements where p(t) is the reduct of R(t) to T. 

Superuniverse Invariability The superuniverse does not change during the 

evolution; that is, the superuniverse of every R(t) is that of R(0). 
Current Time At every R(t), CT evaluates to t. 

Discreteness For every r > 0, there is a finite sequence = to < t\ < . . . < 
t n =T such that if ti < a < (3 < then p(a) = p([3). □ 

Remarks. Of course, we could start with an initial moment different from 0, 
but without loss of generality we can assume that the initial moment is 0. Our 
discreteness requirement is rather simplistic (but sufficient for our purposes in 
this paper). One may have continuous time-dependent basic functions around 
(in addition to CT); in such cases, the discreteness requirement becomes more 
subtle. 

In the rest of this section, R is a pre-run of vocabulary T + and p(t) is the 
reduct of R(t) to T. 

The notation p(t+) and p{t— ) is self-explanatory; still, let us define it pre- 
cisely. p(t+) is any state p(t + e) such that e > and p(t + 8) = p(t + e) for 
all positive 5 < e. Similarly, if t > then p(t—) is any state p(t — e) such that 
< e < t and p(t — 5) = p(t — e) for all positive S < e. 

Call a moment t significant for R if (i) t = or (ii) t > and either p{t) ^ 
p(t-) or p{t) ± p(t+). 



Lemma 2. For any moment t, p(t+) is well defined. For any moment t > 0, 
p(t—) is well defined. If there are infinitely many significant moments then their 
supremum equals oo. 

Proof. Obvious. □ 

Recall that a set S of nonnegative reals is discrete if it has no limit points. 
In other words, S is discrete if and only if, for every nonnegative real r, the set 
{t G S : t < t} is finite. The discreteness requirement in the definition of pre-runs 
means exactly that the collection of the significant points of R is discrete. 

We finish this subsection with a number of essentially self-evident definitions 
related to a given pre-run R. Let e be a term of vocabulary T + . If e has free 
variables then fix the values of those variables, so that e evaluates to a definite 
value in every state of vocabulary Y + . (Formally speaking e is a pair of the form 
(e',£) where e' is a term and £ assigns elements of R(0) to free variables of e'.) 

The value et of e at moment t is the value of e in R(t). Accordingly, e 
holds (respectively fails) at t if it does so in R(t). Likewise, a module is enabled 
(respectively disabled) at t if it is so in R(t). In a similar vein, we speak about 
a time interval /. For example, e holds over I if it holds at every t £ I. 

If e has the same value over some nonempty interval (t,t + e), then this value 
is the value et+ of e at t+ (respectively at t—). Similarly, if t > and e has the 
same value over some nonempty interval (t — e,t), then this value is the value 
e t - of e at t—. Define accordingly when e holds, fails at t+,t— and when an 
agent is enabled, disabled at t+,t—. 

Further, e is set to a value a (or simply becomes a) at t if either (i) et- ^ a 
and et — a, or else (ii) e t ^ a and e t + — a. Define accordingly when an agent 
becomes enabled, disabled at t. 

4.2 Runs 

Now consider a distributed program FI with function symbols from vocabulary 
Y + . Runs of FI are pre-runs with some restrictions on how the basic functions 
evolve. Depending upon their use, the basic functions of FI fall into the following 
three disjoint categories. 

Static These functions do not change during any run. The names of these func- 
tions do not appear as the heads of update rules in FI. 

Internal Dynamic These functions may be changed only by agents. The names 
of these functions appear as the heads of update rules and the functions are 
changed by executing the modules of FI. For brevity, we abbreviate "internal 
dynamic" to "internal". 

External Dynamic These functions may be changed only by the environment. 
The names of these functions do not appear as the heads of update rules; nev- 
ertheless the functions can change from one state to another. Who changes 
them? The environment. Some restrictions may be imposed on how these 
functions can change. For brevity, we abbreviate "external dynamic" to "ex- 
ternal" . 



Remark. It may be convenient to have functions that can by changed both 
by agents and the environment. The EA guide allows that, but we do not need 
that generality here. 

Before we give the definition of runs, let us explain informally that one should 
be cautious with instantaneous actions. In particular, it may not be possible to 
assume that agents always fire at the moment they become enabled. Consider 
the following two interactive scenarios. 

Scenario 1 The environment changes a miliary external function / at moment 
t. This new value of / enables an agent X. The agent fires immediately and 
changes another miliary function g. 

What are the values of / and g at time t, and at what time does X fire? If 
/ has its old value at t then X is disabled at t and fires at some time after t; 
thus X docs not fire immediately. If g has its new value already at t then X had 
to fire at some time before t; that firing could not be triggered by the change of 
/. We arrive at the following conclusions: / has its new value at t (and thus f t 
differs from ft-), X fires at t, and g has its old value at t (and thus g t differs 
from g t+ ). 

Scenario 2 At time t, an agent X changes a function g and in so doing enables 
another agent Y while disabling himself. 

When does Y fire? Since X fires at t, it is enabled at t and thus g has its 
old value at t. Hence Y is disabled at t and fires at some time after t. Thus Y 
cannot react immediately. 

The following definition is designed to allow immediate agents. 

Definition3. A pre-run R of vocabulary T+ is a run of 77 if it satisfies the 
following conditions where p(t) is the reduct of R to Y. 

1. If p(t+) differs from p(t) then p(t+) is the T-reduct of the state resulting 
from executing some modules Mi, . . . , Mk at R(t). In such a case we say t is 
internally significant and the executors of Mi, . . . , Mk fire at t. All external 
functions with names in T have the same values in p(t) and p(t+). 

2. If i > and p(r) differs from p(r—) then they differ only in the values 
of external functions. In such a case we say r is externally significant. All 
internal functions have the same values in pit—) and pit). □ 

Remark. Notice the global character of the definition of firing. An agent fires 
at a moment t if p(t+) ^ pit). This somewhat simplified definition of firing is 
sufficient for our purposes in this paper. 

In the rest of this section, R is a run of 77 and p(t) the reduct of R(t) to 
Y. Let e be a term e with fixed values of all its free variables. A moment t is 
significant for e if, for every e > 0, there exists a moment a such that \a — 1\ < e 
and e a ^ e t . Call e discrete (in the given run 7?) if the collection of significant 
moments of e is discrete. In other words, e is discrete if and only, for every t > 0, 
there is a finite sequence 



o = t < h < . . . < t n = 



t 



such that ii ti < a < (3 < t i+1 then e a = e@. 

Lemma 4 (Discrete Term Lemma) . If a term e is discrete then 

1. For every t, e has a value at t+. 

2. For every t > 0, e has a value at t—. 



Proof. Obvious. 



□ 



Lemma 5 (Preservation Lemma) . Suppose that a term e with fixed values of 
its free variables does not contain CT. Then e is discrete. Furthermore, 

1. If e contains no external functions and t > then e t — e t ~. 

2. If e contains no internal functions then e*+ = e* . 



It may be natural to have agents that fire the instant they are enabled. 
Definition 6. An agent is immediate if it fires at every state where it is enabled. 



Lemma 7 (Immediate Agent Lemma). 

1. The set of moments when an immediate agent is enabled is discrete. 

2. If the agent is enabled at some moment t then it is disabled at t+ and, if 
t > 0, at t-. 



1. If the agent is enabled at a moment t, it fires at t and therefore (according to 
our notion of being enabled) changes the state; it follows that t is a significant 
moment of the run. By the discreteness condition on pre-runs, the collection 
of significant moments of a run is discrete. It remains to notice that every 
subset of a discrete set is discrete. 

2. Follows from 1. □ 

Recall the scenario S2. There agent Y cannot be immediate. Nevertheless, it 
may make sense to require that some agents cannot delay firing forever. 

Definition8. An agent X is bounded if it is immediate or there exists a bound 
b > such that there is no interval (t, t + b) during which X is continuously 
enabled but does not fire. □ 



Proof. This is an obvious consequence of the definition of runs. 



□ 



□ 



Proof. 



Notice that it is not required that if a bounded agent X becomes enabled at 
some moment a, then it fires at some moment (3 < a + b. It is possible a priori 
that X becomes disabled and does not fire in that interval. 



5 The Ealgebra for Railroad Crossing Problem 



We present our solution for the railroad crossing problem formalized as an evolv- 
ing algebra A of a vocabulary T + = T U {CT}. In this section, we describe the 
program and initial states of A; this will describe the vocabulary as well. The 
relevant runs of A will be described in the next section. 

The program of A has two modules gate and controller, shown in Fig. 3. 

[htbp] 

GATE 

if Dir = open then GateStatus := open endif 
if Dir = close then GateStatus := closed endif 

CONTROLLER 

var x ranges over Tracks 

if TrackStatusfx) = coming and Deadline(a;) = oo then 

Deadline^) := CT+ Wait Time 
endif 

if CT =Deadline(:r) then Dir := close endif 

if TrackStatus(x) = empty and Deadline(x) < oo then 

Deadline(x) := oo 
endif 
endvar 

if Dir=close and SafeToOpen then Dir := open endif 



Fig. 3. Rules for gate and controller. 

Here WaitTime abbreviates the term rf mm — d c \ oaei and SafeToOpen abbre- 
viates the term 

(Vx € Tracks) [TrackStatus(a;) = empty or CT + dopen < Deadline(a;)]. 

We will refer to the two constituent rules of gate as OpenGate, CloseGate re- 
spectively. We will refer to the three constituent rules of controller's parallel 
synchronous rule as SetDeadline(a;), SignalClose(a;), ClearDeadline(a;) , respec- 
tively, and the remaining conditional rule as SignalOpen. 

Our GateStatus has only two values: opened and closed. This is of course 
a simplification. The position of a real gate could be anywhere between fully 
closed and fully opened. (In [|| , the position of the gate ranges between 0° and 
90°.) But this simplification is meaningful. The problem is posed on a level of 
abstraction where it does not matter whether the gate swings, slides, snaps or 
does something else; it is even possible that there is no physical gate, just traffic 
lights. Furthermore, suppose that the gate is opening and consider its position 
as it swings from 0° to 90°. Is it still closed or already open at 75°? One may say 



that it is neither, that it is opening. But for the waiting cars, it is still closed. 
Accordingly GateStatus is intended to be equal to closed at this moment. It may 
change to opened when the gate reaches 90°. Alternatively, in the case when the 
crossing is equipped with traffic lights, it may change to opened when the light 
becomes green. Similarly, it may change from opened to closed when the light 
becomes red. If one is interested in specifying the gate in greater detail, our 
ealgebra can be refined by means of another ealgebra. 

The program does not define our evolving algebra A completely. In addition, 
we need to specify a collection of initial states and relevant runs. 

Initial states of A satisfy the following conditions: 

1. The universe Tracks is finite. The universe ExtendcdReals is an extension of 
the universe Reals with an additional element oo. The binary relation < and 
the binary operation + are standard; in particular oo is the largest element 
of ExtendcdReals. 

2. The miliary functions close and open are interpreted by different elements 
of the universe Directions. The miliary functions closed and opened are in- 
terpreted by different elements of the universe GateStatuses. The nullary 
functions empty, coming, in_crossing are different elements of the universe 
TrackStatuses. 

3. The nullary functions d c i ose , d pen, (imax, d m m are positive reals such that 

^close < ^min ^ ^max- 

One may assume for simplicity of understanding that these four reals are pre- 
defined: that is, they have the same value in all initial state. This assumption 
is not necessary. 

4. The unary function TrackStatus assigns (the element called) empty to every 
track (that is, to every element of the universe Tracks). The unary function 
Deadline assigns oo to every track. 

It is easy to see that, in any run, every value of the internal function Deadline 
belongs to ExtendedReals. 

6 Regular Runs 

The following definition takes into account the assumptions of Sect. 2. 
6.1 Definitions 

Definition 9. A run R of our evolving algebra is regular if it satisfies the fol- 
lowing three conditions. 

Train Motion For any track x, there is a finite or infinite sequence 

= t < ti < t 2 < t 3 < . . . 
of so-called significant moments of track x such that 



— TrackStatus(x) = empty holds over every interval \t^i, £31+1); 

— TrackStatus(x) = coming holds over every interval [£34+1,^34+2), and 
^min — (^3i+2 — Hi+l) < rfmax! 

— TrackStatus(x) = in.crossing holds over every interval [£34+2,^34+3); and 

— if tk is the final significant moment in the sequence, then k is divisible 
by 3 and TrackStatus(x) = empty over [tk, 00). 

Controller Timing Agent controller is immediate. 

Gate Timing Agent gate is bounded. Moreover, there is no time interval / = 
(t, t + d c i ose ) such that [Dir=close and GateStatus = opened] holds over /. 
Similarly there is no interval / = (t, t + dopen) such that [Dir=open and 
GateStatus = closed] holds over /. □ 

In the rest of this paper, we restrict attention to regular runs of A. Let R be 
a regular run and p be the reduct of R to Y. 

6.2 Single Track Analysis 

Fix a track x and let = t < t\ < t 2 < ■ ■ ■ be the significant moments of x. 
Lemma 10 (Deadline Lemma). 

1. Deadline(x) = 00 over (£34, £34+1], and Deadline(x) = £34+1 + WaitTime over 

2. Let D c \ ose = d c \ ose + (G?max— rf m in) = ^max— WaitTime. If TrackStatus(x) ^ 
in_crossing over an interval (a, (3), then Deadline(x) > f3—D c \ ose over (a, [3). 

Proof. 

1. A quite obvious induction along the sequence 

(£0, h], (£1, £3], (£ 3 , £4], (£4, t 6 ], .... 

The basis of induction. We prove that Dcadline(x) = 00 over / = (£ ,£i); 
it will follow by Preservation Lemma that Deadline(x) = 00 at t\. Initially, 
Deadline(x) = 00. Only SetDeadline(a;) can alter that value of Deadline(x), 
but SetDeadline(x) is disabled over (£o,£i)- The induction step splits into 
two cases. 

Case 1. Given that Deadline(x) = 00 at £34+1 , we prove that Deadlinc(x) = 
£34+1 + WaitTime over / = (£ 3 j+i, £34+3); it will follow by Preservation 
Lemma that Deadline^) = £34+1 + WaitTime at £34+3. SetDeadline(x) is 
enabled and therefore fires at £34+1 setting Deadline (x) to £34+1 + WaitTime. 
ClearDeadline(x) is the only rule that can alter that value of Deadline(x) 
but it is disabled over I because TrackStatus(a;) 7^ empty over /. 



Case 2. Given that Deadline(a;) < oo at t 3i where i > 0, we prove that 
Deadline(x) = oo over / = (t 3i , *3i+i); it will follow by Preservation Lemma 
that Deadline(x) = oo at t 3i+1 . ClcarDeadline(x) is enabled and therefore 
fires at t 3 i setting Deadline^) to oo. Only SetDcadlinc(x) can alter that 
value of Deadlinc(x) but it is disabled over I because TrackStatus(x) = 
empty 7^ coming over /. 
2. By contradiction suppose that Deadline(x) < (3 — -D c i ose at some t £ (a,/3). 
By 1, there is an i such that t^i+i < t < t 3i+3 and Deadline (x) = £3^+1 + 
WaitTime at t. Since (a, (3) and the in_crossing interval ^+2, ^34+3) are 
disjoint, we have that i 3 i+i < t < (3 < t^ + 2- By the definition of regular 
runs, rfmax > t 3l+2 - t 3l+1 > (3 - t 3i+1 , so that t 3l+1 > (3 - <i max . We have 



Corollary 11 (Three Rules Corollary). 

1. SeWeadline(x) fires exactly at moments t 3 i+\, that is exactly when Track- 
Status(x) becomes coming. 

2. SignalC'lose(x) fires exactly at moments t 3 i + i + WaitTime. 

3. Clear Deadline(x) fires exactly at moments t 3 i with i > 0, that is exactly when 
TrackStatus(x) becomes empty. 

Proof. Obvious. □ 

Let s(x) be the quantifier-free part 



of the term SafeToOpen with the fixed value of x. 
Lemma 12 (Local SafeToOpen Lemma). 

1. Suppose that WaitTime > ciopen- Then s(x) holds over intervals [t 3 i, t 3 i + i + 
WaitTime — c?open) (the maximal positive intervals of s(x)) and fails over 
intervals \t 3 i+i + WaitTime — d p en ,t 3 i +3 ). 

2. Suppose that WaitTime < dopen- Then s(x) holds over intervals [t 3 i,t 3 i + i] 
(the maximal positive intervals of s(x) ) and fails over intervals (t 3 i+i,t 3 i +3 ). 

3. The term s(v) is discrete. 

4- s(x) becomes true exactly at moments t 3 i with i > 0, that is exactly when 

TrackStatus(x) becomes empty. 
5. If [a, (3) or [a, (3] is a maximal positive interval of s(x), then SignalClose(x) 

is disabled over [a, (3] and at j3+. 



(3 — D c \ ose > Deadline(x) at t 

> (3- dmax + WaitTime 



£34+1 + WaitTime 
P ~ -^closo 



which is impossible. 



□ 



TrackStatus(a;) = empty or CT + rf pcn < Deadline(a;). 



Proof. 



1. Over [tai,tsi + i), TrackStatus(:r) = empty and therefore s(x) holds. At £3^+1, 
Deadline(x) = oo and therefore s(x) holds. SetDeadline(x) fires at tzi+i and 
sets Deadline^) to t 3i+ i + Wait Time. Over (£3^, £34+1 + WaitTimc — rfopen), 

CT + d pcn < (*3i+i + WaitTime - rfopen) + d open 
= fei+i + WaitTime = Deadline(a;) 

and therefore s(x) holds. Over the interval [£34+1 + WaitTime — rfopen, £31+3), 
TrackStatus(a;) 7^ empty and CT + d pen > %+i + WaitTime = Deadline(a;) 
and therefore s(x) fails. 

2. The proof is similar to that of 1. 

3. This follows from 1 and 2. 

4. This follows from 1 and 2. 

5. We consider the case when WaitTime > ciopen; the case when WaitTime < 
rfopen is similar. By 1, the maximal open interval of s(x) has the form 
[a, pi) — [tsi, tsi + i + WaitTime — dopen) for some i. By Three Rules Corol- 
lary, SignalClose(x) fires at moments £3^+1 + WaitTime. Now the claim is 
obvious. □ 

6.3 Multiple Track Analysis 

Lemma 13 (Global SafeToOpen Lemma). 

1. The term SafeToOpen is discrete. 

2. If SafeToOpen holds at t+ then it holds at t. 

3. If SafeToOpen becomes true at t then some TrackStatus(x) becomes empty 
at t. 

4- If SafeToOpen holds at t then t belongs to an interval [a, p) (a maximal 
positive interval of SafeToOpen) such that SafeToOpen fails at a—, holds 
over [a, p) and fails at p. 

Proof. 

1. Use part 3 of Local SafeToOpen Lemma and the fact that there are only 
finitely many tracks. 

2. Use parts 1 and 2 of Local SafeToOpen Lemma. 

3. Use parts 1 and 2 of Local SafeToOpen Lemma. 

4. Suppose that SafeToOpen holds at £. By parts 1 and 2 of Local SafeToOpen 
Lemma, for every track x, t belongs to an interval [a x < p x ) such that s(x) 
fails at a x — , holds over [a x ,p x ) and fails at p x . The desired a = max^a^, 
and the desired p = min x p x . □ 

Lemma 14 (Dir Lemma). Suppose that [a,b) is a maximal positive interval 
of SafeToOpen. 



1. Dir = close at a. 

2. Dir = open over (a,p] and at p+. 



Proof. 



1. By Global SafeToOpen Lemma, some TrackStatus(a;) becomes empty at t. 
Fix such an x and let = to < h < t 2 < ■ ■ ■ be the significant moments 
of TrackStatus(x). Then a = t 3i+3 for some i. By Three Rules Corollary, 
SetDeadline(a;) fires at %+i + WaitTime setting Dir to close. By Local Safe- 
ToOpen Lemma, s(x) fails over I = (t 3i+1 + WaitTime, £34+3]. Hence Safe- 
ToOpen fails over / and therefore every SignalClose(y) is disabled over /. 
Thus Dir remains close over /. 

2. By 1, SignalOpen fires at a setting Dir to open. By part 5 of Local Safe- 
ToOpen Lemma, every SignalClose(a;) is disabled over [a,f3] and at (3+. 
Hence Dir remains open over (a, 0\ and at f3+. □ 



Corollary 15 (SignalOpen Corollary). SignalOpen fires exactly when Safe- 
ToOpen becomes true. SignalOpen fires only when some TrackStatus(x) becomes 
true. 

Proof. Obvious. □ 

We have proved some properties of regular runs of our ealgebra A, but the 
question arises if there any regular runs. Moreover, are there any regular runs 
consistent with a given pattern of trains? The answer is positive. In Sect. 8, we 
will prove that every pattern of trains gives rise to a regular run and will describe 
all regular runs consistent with a given pattern of trains. 



7 Safety and Liveness 

Recall that we restrict attention to regular runs of our ealgebra A. 

Theorem 16 (Safety Theorem). The gate is closed whenever a train is in 
the crossing. More formally, GateStatus = closed whenever TrackStatus(x) = 
in_crossing for any x. 

Proof. Let to < t\ < . . . be the significant moments of some track x. Thus, during 
periods [tzi+2, Hi+s), TrackStatus(a;) = in_crossing. We show that GateStatus = 
closed over [t 3i+ 2, £31+3] an d even over [t 3i+ i + d m [ n ,t 3i+3 ]. (Recall that d min < 
£34+2 - t 3l+ i < rf max and therefore t 3l+ i + d mia < t 3l+2 .) 

By Three Rules Corollary, SetDcadline(a;) fires at t 3 i+i setting Dcadlinc(a;) 
to a = t 3i+1 + WaitTime. If Dir Q = open then SignalClose(x) fires at a setting 
Dir to close; regardless, Dir Q+ = close. By Local SafeToOpen Lemma, s(x) fails 
over / = (a, t 3i+3 ). Hence, over /, SafeToOpen fails, SignalOpen is disabled, Dir 
= close, and OpenGate is disabled. 

By the definition of regular runs, GateStatus = closed at some moment t 
such that a < t < a + ^ c ] se = ^3»+i + WaitTime + rf c i oso = £34+1 + ^ m i n - Since 
OpenGate is disabled over /, GateStatus remains closed over / and therefore over 
the interval [£3^+1 + d m ^ n ,t 3i+3 ). By Preservation Lemma, GateStatus = closed 
at i3i+3- □ 



Let -D c i osc = c? c ioso + Kiax - d min ) = d max - WaitTime. 

Theorem 17 (Liveness Theorem). Assume a + d pen < P — D c \ ose . If the 
crossing is empty in the open time interval {a, (3), then the gate is open in [a + 
dopen,(3 — -D c iose]- More formally, if every TrackStatus(x) ^ in_crossing over 
(a,P), then GateStatus — opened over [a + dopen, P — ^closel- 

Proof. By Deadline Lemma, every Deadlinc(a;) > p — D c \ osc > a + rf pen over 
(a, [3). By the definition of SafcToOpcn, it holds at a. If Dir Q = close then 
SignalOpen fires at a; in any case Dir Q+ = open. 

By Deadline Lemma, every Deadline(a;) > /3 — -D c j ose > CT over (a, p — 
D c i ose ). Hence, over (a, P—D c \ose)' every SignalClose(a;) is disabled, Dir remains 
open, and StartClose is disabled. 

By the definition of regular runs, GateStatus = opened at some moment 
t G (a, a + rfopen)- Since StartClose is disabled over (a, (5 — D c i ose ), GateStatus 
remains opened over (i, /3 — £> c i ose ) and therefore is opened over [a + d pen, P — 
^close)- Preservation Lemma, GateStatus = opened at b — -D c i ose - □ 

The next claim shows that, in a sense, Liveness Theorem cannot be improved. 

Claim 18. 

1. Liveness Theorem fails if dopen is replaced with a smaller constant. 

2. Liveness Theorem fails if £> c i ose is replaced with a smaller constant. 

Proof. The first statement holds because the gate can take time arbitrarily close 
to G? pcn to open. The second statement holds for two reasons. Recall that 
-^close = ^close + (^max - ^min)- The term (d m ax - ^min) cannot be reduced; to 
be on the safe side, the controller must act as if every oncoming train is moving 
as fast as possible, even if it is moving as slow as possible. The term d c \ ose cannot 
be reduced either; the gate can take arbitrarily short periods of time to close. 
Now we give a more detailed proof. 

Part 1. Given some constant c pen < ^open, we construct a regular run of our 
ealgebra A and exhibit an open interval / = (a, p) such that the crossing is empty 
during I but the gate is not opened during a part of interval (a + c pcn, P — 
-Enclose)- 

We assume that (iopen, ^close < 1 (j us t choose the unit of time appropriately) 
and that there is only one track. 

The traffic. Only one train goes through the crossing. It appears at time 100, 
reaches the crossing at time 100 + d m ax and leaves the crossing at time 110 + 
dmax, so that Dir should be changed only twice: set to close at 100 + WaitTime 
and set to open at 110 + c? r nax- 

The run. We don't care how quickly the gate closes, but we stipulate that 
the time A that the gate takes to open belongs to (c pen, ^open)- 

The interval I: (110 + d max , 110 + rf max + dopen)- 

Since the only train leaves the crossing at 110 + <imax, the crossing is empty 
during /. However the gate takes time A > c pen to open and thus is not opened 
during the part (110 + d max + c pcn, HO + dmax + A) of I. 



Part 2. Given some constant C c j ose < -D c i OS e> we construct a regular run of 
our ealgebra A and exhibit an open interval I = (a, (3) such that the crossing is 
empty during I but the gate is not opened (even closed) during a part of interval 
(a + dopen, (3 - C c lose)- 

We assume that d pen, C c \ose < 1> an d that there is only one track with the 
same traffic pattern as in part f . 

The run. This time we don't care how quickly the gate opens, but we stipulate 
that the time A that the gate takes to close satisfies the following condition: 

< A < min{d close , D closc - C close }. 

The interval / is (0, 100 + dm&x), so that a — and (3 — 100 + (imax- 
Since the only train reaches the crossing at 100 + c? m ax, the crossing is empty 
during /. The gate is closed by 100 + WaitTime + A and is closed during the 
part (100 + WaitTime + A, 100 + WaitTime + (£» c i OSG - C closo )) of interval 
(a + dopen, /?-C close ). Let us check that (100 + WaitTime+A 100 + WaitTime+ 
(-^close ~ C close ) 1S indeed a part of (a + d opcn , (3 - C closc ) . Clearly, a + d op en < 
+ 1 < 100 + WaitTime + A. Further: 

100 + WaitTime + A 
< 100 + WaitTime + (D closc - C close ) 

= 100 + (<i m j n - d c i osc ) + [(d c i ose + d max - ^min) ~ ^closcl = P ~ Cclose- 

□ 

8 Some Additional Properties 

Theorem 19 (Uninterrupted Closing Theorem). The closing of the gate 
is never interrupted. More formally, if Dir is set to close at some moment a, 
then Dir = close over the interval I = (a, a + rf c i OS e)- 

Recall that, by the definition of regular runs, GateStatus = closed somewhere 
in / if Dir = close over /. 

Proof. Since Dir is set to close at a, some SignalClose(a;) fires at a. Fix such an 
x and let to < ii < • ■ • be the significant moments of track x. By Three Rules 
Corollary, there is an i such that a = t 3i+1 + WaitTime = t 3i+ i + d m i n — d c \ ose . 
Then a + rf c i oso = *3i+i + d m j n < t 3i+ 2- By the definition of regular runs, 
TrackStatus(a;) = coming over /. By Deadline Theorem, Deadline(a;) = a over 
/, so that CT+c? pen > CT > Deadline(a;) over /. Because of this x, SafeToOpcn 
fails over I and therefore SignalOpen is disabled over /. Thus Dir = close over 
I. 

Theorem 20 (Uninterrupted Opening Theorem). Suppose WaitTime > 
rfopen/ that is, d m ^ n > d c { ose + d ouon . Then the opening of the gate is not 
interrupted; in other words, if Dir is set to open at some moment a, then Dir = 
open over the interval I = (a, a + d pen)- 



Recall that, by the definition of regular runs, GateStatus = opened some- 
where in / if Dir = open over /. 

Proof. It suffices to prove that every SignalClose(x) is disabled over /. Pick any 
x and let to < ii < • • ■ be the significant moments of track x. Since Dir is set to 
open at a, SignalOpcn fires at a, SafcToOpen holds at a, and s{x) holds at a. 
We have two cases. 

Case 1. a + c£ pen < Dcadline(x) Q < oo. Since Deadline(a;) a < oo, r 3i+1 < a < 
t 3i+3 and Deadlme(x) Q = t 3i+i + WaitTimc for some i (by Deadline Lemma). 
We have 

a + dopen < Deadline(x) Q = t 3i+ i + WaitTimc < t 3l+1 + d min < t 3l+2 < t 3i+3 . 

By Deadline Lemma, Deadline(x) does not change in /, so that CT remains 
< Deadline(x) in / and therefore SignalClose(x) is disabled over /. 

Case 2. a + d pcn > Deadline^ (x) or Deadline Q (x) = oo. 

We check that t 3i < a < t 3i+ i for some i. Indeed, if TrackStatus(x) Q , = 
empty then t 3 i < a < t 3 i + i for some i. Suppose that TrackStatus(a;) Q ^ empty. 
Since s(x) holds at a, a + (iopen < Deadline Q (x). By the condition of Case 2, 
Deadlinc(x) Q , = oo. Recall that TrackStatus(x) ^ empty exactly in intervals 
[*3i+i, t 3i+3 and Deadline(x) = oo exactly in periods {t 3 i,t 3i+ i}. Thus a = t 3i+ i 
for some i. 

The first moment after a that SignalClose(x) is enabled is t 3i+i +WaitTime. 
Thus it suffices to check that a + dopen < t 3 i+i + WaitTime. Since c? m i n > 
^close + ^open, we nave 

a + dopen < t 3l+ i + d opon < t 3l+ i + (rf m i n - d c i ose ) = *3i+i + WaitTimc. □ 

Corollary 21 (Dir and GateStatus Corollary). Assume d m j n > d c y osc + 
dopen ■ 

1. If the sequence 71 < 72 < 73 < . . . of positive significant moments of Dir is 
infinite, then the sequence 5\ < 62 < S 3 < . . . of positive significant moments 
of GateStatus is infinite and each Si € (7i,7»+i). 

2. If the positive significant moments of Dir form a finite sequence 71 < 72 < 
... < 7„, then the positive significant moments of GateStatus form a se- 
quence Si < 82 < ■ ■ ■ < S n such that Si £ (7i, 7i+i) for all i < n and 5 n > 7„. 

Proof. We prove only the first claim; the second claim is proved similarly. 

Since Dir = open and GateStatus = opened initially, GateStatus does not 
change in (0, 71). Suppose that we have proved that if 71 < . . . < jj are the first 
j positive significant moments of Dir, then there are exactly j — 1 significant 
moments 6± < ... < Sj-i of GateStatus in (0, <?j] and each S{ € (7»)7i+i)- 
We restrict attention to the case when j is even; the case of odd j is similar. 
Since j is even, Dir is set to open at jj. If jj is the last significant moment 



of Dir, then the gate will open at some time in (7j,7j + c?open) and will stay 
open forever after that. Otherwise, let k = j + 1. By Uninterrupted Opening 
Theorem, the gate opens at some moment 5j £ (7j,7fc)- Since Dir remains open 
in (#j,7fc), GateStatus = opened holds over (#j,7fc)- By Preservation Lemma, 
GateStatus = opened at jk- □ 

9 Existence of Regular Runs 

We delayed the existence issue in order to take advantage of Sect. 8. For simplic- 
ity, we restrict attention to an easier but seemingly more important case when 
^min — ^close + ^open- The Existence Theorem and the two Claims proved in 
this section remain true in the case d m - m < rf c i oso + dopen; we provide remarks 
explaining the necessary changes. 

Let Ti = T — {GateStatus}, and T = Y\ — {Deadline, Dir}. For i = 0, 1, let 
r+ = Yi U {CT}. 

Theorem 22 (Existence Theorem). Let P be a pre-run of vocabulary Yq sat- 
isfying the train motion requirement in the definition of regular runs, and let A 
be an initial state of A consistent with P(0). There is a regular run R of A which 
starts with A and agrees with P. 

Proof. Let the significant moments of P be = ao < a\ < .... For simplicity, we 
consider only the case where this sequence is infinite. The case when the sequence 
is finite is similar. Our construction proceeds in two phases. In the first phase, 
we construct a run Q of module controller (that is of the corresponding 
one- module evolving algebra of vocabulary T+) consistent with A and P. In 
the second phase, we construct the desired R by extending Q to include the 
execution of module gate. 

Phase 1: Constructing Q from P. Let /?o < Pi < ■ ■ ■ be the sequence that 
comprises the moments on and the moments of the form t + WaitTime where 
t is a moment when some TrackStatus(x) becomes coming. By Three Rule and 
SignalOpen Corollaries, these are exactly the significant moments of the desired 
Q. We define the desired Q by induction on It is easy to see that Q(T) is 
uniquely defined by its reduct q(t) to Y\. 

(2(0) is the appropriate reduct of A. Suppose that Q is defined over [0,f3j] 
and k = j + 1. Let 7 range over (f3j,f3k)- If controller does not execute at 
j3j, define (7(7) = q(/3j); otherwise let (7(7) e the state resulting from executing 
CONTROLLER at q([3j). Define q{[3k) to agree with 5(7) at all functions except 
TrackStatus, where it agrees with P(0k)- 

Clearly Q is a pre-run. It is easy to check that Q is a run of controller 
and that controller is immediate in Q. 



Phase 2: Constructing R from Q. We construct R by expanding Q to include 
GateStatus. Let 71 < 72 < ... be the sequence of significant moments of Q at 
which Dir changes. Thus Dir becomes close at moments 7$ where i is odd, and 
becomes open at moments 7$ where i is even. 

There are many possible ways of extending Q depending on how long it takes 
to perform a given change in GateStatus. Chose a sequence ai,a 2 , . . . of reals 
such that (i) at < 7^+1 — 7, and (ii) a* < e? c i ose if i is odd and at < dopen if i 
is even. The idea is that gate will delay executing OpenGate or CloseGate for 
time dj. 

The construction proceeds by induction on 7,. After i steps, GateStatus will 
be defined over [0. <?,■], and GateStatus 9i will equal opened if i is odd and will 
equal closed otherwise. 

Set GateStatus = opened over [0,71]. Suppose that GateStatus is defined 
over [0, 7j] and let j = i + 1. We consider only the case when i is even. The case 
of odd i is similar. 

By the induction hypothesis, GateStatus = closed at 7^. Since i is even, Dir 
is set to open at 7$. Define GateStatus = closed over (7^,7* + a*] and opened 
over (7j + a;, 7,]. 

It is easy to see that R is a regular run of A. □ 

Remark. If the assumption d m j n > d c y ose + d pen is removed, Phase 1 of the 
construction does not change but Phase 2 becomes more complicated. After i 
steps, GateStatus is defined over [0,</j], and GateStatus 9i = closed if i is even; 
it cannot be guaranteed that GateStatus 9i = opened if i is odd. The first step 
is as above. For an even i, we have three cases. 

Case 1: at < 7^ — 7^. Define GateStatus over [gi 7 gj] as in the Existence 
Theorem Proof. 

Case 2: a% > "fj — 7i. Define GateStatus = closed over (gi,gj]. 

Case 3: Oj = -fj — 7,. Define GateStatus = closed over (^j, gj] as in sub-case 
2 but also mark gj (to indicate that OpenGate should fire at -fj ) . 

For an odd i, we have two cases. 

Case 1: Either GateStatus = opened at -fi or else GateStatus = closed at gi 
but gi is marked. Define GateStatus over [gi 7 gj] as in the Existence Theorem 



Case 2: GateStatus = closed at ji and 7* is not marked. Ignore dj and define 
GateStatus = closed over (gi,gj]. 

Claim 23 (Uniqueness of Control). There is only one run of controller 
consistent with A and P. 

Proof. Intuitively, the claim is true because the construction of Q was deter- 
ministic: we had no choice in determining the significant moments of Q. More 
formally, assume by reductio ad absurdum that Q\, Q2 are runs of controller 
consistent with A and P and the set D = {t : Qi(t) 7^ Qi{t)} is non-empty. Let 
t = inf(D). Since both Qi and Q2 agree with A, r > 0. By the choice of r, Qi 
and Qi agree over [0, r). Since both Qi and Qi agree with A and P, they can 



Proof. 



differ only at internal functions; let qi,q 2 be reductions of Qi,Q 2 respectively to 
the internal part of the vocabulary. By Preservation Lemma, q\ and q 2 coincide 
at t. But the values of internal functions at r+ are completely defined by the 
state at t. Thus qi and q 2 coincide at r+ and therefore Qi,Q 2 coincide over 
some nonempty interval [t, t + e). This contradicts the definition of r. □ 

Claim 24 (Universality of Construction). Let R' be any regular run of the 
ealgebra consistent with A and P. In the proof of Existence Theorem, the sequence 
ai, a,2, . ■ ■ can be chosen in such a way that the regular run R constructed there 
coincides with R' . 

Proof. By Uniqueness of Control Claim, the reducts of R and R' to 7\ + coincide. 
The moments 71 < 72 < • ■ ■ when Dir changes in R are exactly the same moments 
when Dir changes in R' . We have only to construct appropriate constants a^. 

Let Si < 5 2 < ■ ■ ■ be the significant moments of GateStatus in R 1 . With 
respect to Dir and GateStatus Corollary, define a, = Si — 7, . It is easy to check 
that R = R'. □ 

Remark. If the assumption c? m i n > close + ciopen is removed, the proof of 
Uniqueness of Control Claim does not change but the proof of Universality of 
Construction Claim becomes slightly complicated. Let j = i + 1. For an even i, 
we have two cases. 

Case 1: Si < jj. Define ai = Si — 7,. 

Case 2: Si > 7j • In this case jj—ji < d Q pen- The exact value of dj is irrelevant; 
it is only important that ai E (7? — 7i, d pen)- Choose such an a, arbitrarily. 
For an odd i, we also have two cases. 

Case 1: In R', either GateStatus = opened at ji or else GateStatus = closed 
at ji but OpenGate fires at 7$. Define dj = Si — 7$. 

Case 2: In R' , GateStatus = closed at 7,. The exact value of Oi is irrelevant; 
it is only important that ai < d c i ose . Choose such an ai arbitrarily. 
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